Summary
The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care. TraitWare® helps our financial industry customers with compliance, user experience, and overall security. Our cutting-edge security technology eliminates usernames and passwords to protect sensitive financial and personal information. We use passwordless authentication with inherent multi-factor authentication to secure your data while reducing user friction around logging into websites. We strive to meet, and when possible, exceed the authentication recommendations and guidance provided by the Safeguards Rule and NIST. Issued and filed patents cover the proprietary processes that achieve these standards of security and simplicity.
Recent Updates to the Safeguards Rule: In 2021, the Federal Trade Commission (FTC) announced a change to the Safeguards Rule to include non-financial institutions that engage in financial transactions. This includes auto dealerships, which have not seen consistency across the country with respect to guidance dictating cybersecurity policies. Dealerships must now be in compliance with several new rules to protect consumer information including using multi-factor authentication (MFA) to protect their endpoints.
Financial Security Today
When the Safeguards Rule of the Gramm-Leach-Bliley (GLB) Act was put into place in 1999, the Internet was still in its infancy. It was created with the best intentions to ensure the safety and privacy of Personally Identifiable Information (PII). While security and privacy have always been a priority of the financial industry, the means to invade, steal, and use personal and financial information continues to grow and become more sophisticated every year. We are in the midst of a digital world that reaches far beyond the Internet into nearly every facet of our daily lives. Due to this inescapable reach, it has become increasingly necessary to safeguard the things that are most dear to us, and in the case of the financial industry, our very identities and financial security are of utmost importance.
One of the largest threats to financial security is the lack of means to ensure that personal and financial information is accessed only by those who are authorized, including both corporate employees and consumers. Security breaches at JPMorgan Chase & Co, Anthem, Sony-Pictures, and as well as other high profile hacks have signaled that large multinational corporations are susceptible to massive digital attacks when systems continue to rely on the combination of usernames and passwords. This long-standing industry standard of using passwords has become a security pariah and has been directly responsible for the loss of data from some of the most recent and high-profile hacks, including all of the above mentioned.
Fortunately, TraitWare® is dedicated to helping you Secure and Simplify your Digital LifeTM by eliminating the need for usernames and passwords. When it comes to the financial industry, we are excited to offer solutions that keep our customers in compliance with the latest Safeguards Rule requirements and recommendations while offering vastly improved security. In a 2014 interview about banking security with Jeremy Grant, Senior Executive at the National Institute of Standards and Technology (NIST) and head of the government’s National Strategy for Trusted Identities in Cyberspace (NSTIC), Grant spoke to the goal of the complete elimination of usernames and passwords for authentication. Grant stated that he is “optimistic that we’re nearing a tipping point right now with new types of technologies that are emerging.”1 With the latest developments provided by TraitWare® that goal has now been reached. With our current platform release, we are perfectly positioned to help all of our financial industry customers completely do away with usernames and passwords to significantly reduce or eliminate their potential exposure to security breaches.
Now is the Time to Finally Get Rid of Usernames and Passwords
Annual Data Breach Investigations Report compiled by Verizon, continually show more than 50% of data breaches or data loss can be traced back to some form of password compromise.2
While the Safeguards Rule offers suggestions on best practices for using passwords, one can easily see why it is of paramount importance to stay proactive in this area rather than wait for an almost inevitable data breach. Even more, passwords do not truly verify that the person accessing secured resources is the correct person. Despite best practices, passwords can still be shared, hacked, and phished. TraitWare®’s patented/patent-pending technology is ready to help our customers make the switch to a world without passwords and keep several steps ahead of bad actors wishing to compromise personal and financial data, while at the same time simplifying the login process.
How TraitWare® Can Meet Your Authentication Needs
Because sensitive financial data can be accessed in a variety of ways from a variety of locations, securing your resources with simple, minimal friction, two-factor authentication solution can ease the burden on customers and employees when it comes to accessing those resources. Understanding the concern and immediate security need, Benjamin Lawsky, superintendent of the New York State Department of Financial Services, is considering regulations requiring two-factor authentication for the banking and insurance industries. He goes further to state, “The passwords system should have been buried a long time ago and it’s high time we buried it.”3
Two-factor authentication uses a combination of factors to help prove your identity during login. These factors are ‘something you know,’ like a password or PIN, ‘something you have’ such as a smartphone, and ‘something you are’ which refers to a biometric such as a fingerprint. From internal private networks to consumer web portals, TraitWare® is a platform that supports the numerous avenues our customers and their user base use to log in to access sensitive financial information.
Many are familiar with the one-time passcode (OTP) method of two-factor authentication. You attempt to log in with a username and password and a short numerical passcode is sent to your phone in a text message. You enter the passcode into the prompt and you are logged in. While that is one method of two-factor authentication, there are still security risks and the user experience is error-prone and cumbersome.
TraitWare® is a modern authentication solution that provides passwordless authentication. This modern approach reduces the complexity of current authentication methods as well as increases the overall security footprint. We do this by using your smartphone for the entirety of the login and authentication process. A person with a registered TraitWare® app on their smartphone only needs to authenticate the app using a fingerprint or visual PIN, which we call PhotoAuth® Once authenticated, the person can log into a PC website by scanning a QR code on the PC screen using the app, or the site can be automatically opened on their TraitWare® registered mobile device. Behind the scenes, TraitWare® is handling all of the security and authentication to instantly and seamlessly log you in without a username or password.
There are many actions that take place behind the scenes to verify the identity of the user that are unique to the TraitWare® process. All of these pieces work seamlessly together and are nearly invisible to the user.
User Authentication
From the user perspective, you only need to perform one action to authenticate your smartphone for use in logging in without a username or password. This would be either using a fingerprint reader on the smartphone (such as those on the iPhone 7 and above, or the Samsung S7 and above) or entering a PhotoAuth® sequence, which is a visual PIN. Once this is done, the device releases a unique key that represents a correctly used fingerprint or valid PhotoAuth® sequence. This key is sent to the TraitWare® server for verification and does not contain any biometric information. This represents “something you are” (fingerprint) or “something you know” (PhotoAuth® sequence).
Device Fingerprinting
When a person first registers the TraitWare® app after an initial identity proofing process decided by each customer, we take a digital fingerprint of the user-created content on the device on which the app is installed. This content is items such as contacts, music, and the list of user-installed apps. However, the digital biometric is mathematically converted to prevent any possible recovery of personal information. Based upon the device fingerprint comparison, using TraitWare®’s patent-pending, specially designed algorithm, we are able to confirm it is a unique device to that user with odds of 1 in 360 billion. On subsequent authentication attempts, TraitWare® executes an updated device fingerprint for comparison. Even when a person substantially changes the content on their device, the TraitWare® algorithm is able to confirm it is the same user. This represents a highly unique and completely confidential combination of “something you have” (your smartphone) and “something you are” (your unique digital biometric).
Cryptographic Safeguards
We create a unique public/private cryptographic key pair that we use to digitally sign communications to our authentication server. Once the public key is registered with our server during the initial app activation, each authentication attempt is digitally signed by the private key, proving possession of the device. This helps to prevent man-in-the-middle type attacks and allows the TraitWare® authentication server to verify the integrity of the data it receives from the user’s smartphone during an authentication attempt. In addition to data integrity, possession of the correct cryptographic keys represents ‘something you have’ (your smartphone).
TraitWare® Authentication Server
After the user has authenticated their smartphone they are able to use it to log into protected sites. On a PC login screen used to access internal resources or PII, instead of a username or password, the user is presented with a QR code unique to your system which confirms to the user that they are working with your server and not one that has been spoofed. They scan the QR code with their authenticated TraitWare® smartphone app to log in. For logging in on a mobile device, users can either select a site from a list of allowed websites within the app or navigate directly to a mobile site to log in. Each of these login methods set off a behind-the-scenes sequence of steps that are based on the OAuth 2.0 authorization protocol. The server containing the protected resources communicates directly through an encrypted channel with the TraitWare® Authentication Server. If the user has been successfully authenticated, the TraitWare® server passes an authentication token to the resource server, which is then able to grant access to the user. This happens instantaneously and is hardly perceptible to the user, creating a seamless and secure login experience without usernames or passwords. You are assured it is the correct user and their smartphone attempting to gain access and they are certain the server they are accessing is yours.
TraitWare® also has the ability to use location awareness to help make authentication decisions. Each time a person attempts to authenticate the TraitWare® app on their smartphone, the TraitWare® Server can check to verify that the person’s smartphone is in a location that has been pre-approved for access. For example, a person may be given permissions to access protected information from both a work and a home location, but nowhere else. This helps prevent unauthorized access attempts from stolen or cloned devices and discourages users from accessing sensitive information in unsecured environments.
There are a variety of options for different needs, and TraitWare® offers solutions for both remote access login authentication, as well as internal network authentication. The assurance levels that the various components of the TraitWare Authentication Platform adhere to as defined in NIST 800-63-3/A/B/C can be found in TraitWare NIST 800-63-3 Compliance.
Consider the TraitWare® solution to eliminate usernames and passwords from your workflows forever, and let us help you Secure and Simplify your Digital Life.TM
1http://www.bankinfosecurity.com/interviews/slow-path-to-password-replacement-i-2467